ExpertThis question is part of a case study — click to read the full scenario(Case 11)
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?
GCP PCA · Question 14 · Domain 2: Managing and Provisioning a Solution Infrastructure
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the requirement for comprehensive audit logging, the security team needs to retain all data access logs for 7 years and query them rapidly during compliance audits. How should you configure this?
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the requirement for comprehensive audit logging, the security team needs to retain all data access logs for 7 years and query them rapidly during compliance audits. How should you configure this?
Answer options:
Enable Data Access audit logs and retain them in Cloud Logging for 7 years.
Enable Data Access audit logs in Cloud Logging and create a log sink to route them to BigQuery.
Export the logs to a Cloud Storage Archive bucket.
Install the Ops Agent on all VMs to send syslog data to Security Command Center.
How to approach this question
Full Answer
Common mistakes
Practice the full GCP Professional Cloud Architect Practice Exam 3
50 questions · hints · full answers · grading